Home / Blogs

If ICANN Won't Stand Up to EU in WHOIS Dispute, Then the U.S. Congress Should

The early designers of the Internet quickly realized that as the number of domain names flourished, there was a need for tracking domain name owners to resolve questions and conflicts that might arise. To that end, they created WHOIS, a public database with the names, phone numbers, email addresses, and mailing addresses of registered domain owners and operators.

This database has become a fundamental tool of transparency on the Internet, helping catch cybercriminals, stop malware and spam, and protect copyright and trademark owners. For example, Facebook has used the WHOIS database to identify a network of fake news sites spreading disinformation, and Microsoft has used the it to identify fraudulent domains used for phishing attacks. Unfortunately, Europe's poorly crafted privacy law, the General Data Protection Regulation (GDPR), is undermining both the WHOIS database and the global multi-stakeholder governance structure that has been key to the Internet's flourishing. If the EU will not back down, and ICANN — the nonprofit organization that runs key technical functions of the Internet, including WHOIS — finds itself unable or unwilling to act, then the United States should step in to protect these global interests.

The GDPR went into effect in May 2018, requiring organizations to minimize the personal data they collect and granting individuals more control over how organizations use their data. Since the EU can seek penalties against any organization that violates the GDPR, including those outside the EU, this means that domain registrars who collect and publish WHOIS information from website owners also must be GDPR compliant, even if they are located in the United States.

Here is where things get sticky.

ICANN sets its policies through a transparent multi-stakeholder process involving the private sector, civil society, and governments. The goal of this process is to ensure fair and equitable outcomes and to foster global collaboration and consensus building — in short, the purpose is to encourage stakeholders to work together and avoid having a few countries tell the rest of the world what to do.

Some of these policies are about the WHOIS database. ICANN has contracts with domain registries and registrars requiring them to collect and publish domain ownership information in WHOIS. However, since GDPR gives users the right to delete their personal data, and GDPR violators face fines of up to €20 million or 4 percent of their annual turnover, some domain registrars have started violating their contracts with ICANN by no longer collecting the required WHOIS information. And while the U.S. government has pushed ICANN to make sure registrars collect and release WHOIS information, ICANN has failed to act.

In an attempt to update its rules before GDPR went into effect in May 2018, ICANN approved a temporary policy that made a lot of personal information on WHOIS unavailable to the public. Under this policy, only certain third parties who have a "legitimate interest" can receive permission from ICANN to access non-redacted WHOIS data. These restrictions have already had a negative impact on those working to fight fraud and abuse online. For example, the electronics company Panasonic was unable to identify the owner of a domain that was using its logo to steal its customers' credentials. Furthermore, an October 2018 survey of 300 cybersecurity professionals found that this new policy is "significantly impeding cyber applications and forensic investigations and allowing more harm to victims," and 91 percent of respondents believed the redaction of WHOIS data was excessive.

This is not to say that ICANN should not modernize the WHOIS database. The WHOIS protocol has no standard data formats, no international support (i.e., using different character sets), and no security controls. But ICANN should make updates in a way that preserves the openness and transparency of the existing databases, balances the needs of different stakeholders, and does not simply bow down to the EU's overly restrictive privacy rules. To ensure that happens, the United States should step in to prevent the EU from steamrolling ICANN.

The best way to do this, absent ICANN expeditiously changing its policy — call it the nuclear option — would be for Congress to pass a law requiring all U.S. registrars to gather and report WHOIS data. Because most major domain registrars are located in the United States, congressional action would ensure the majority of the WHOIS database remains intact.

The goal would not be to dictate the rules for other countries, as the EU is attempting to do, but rather reassert that no government has the right to set the rules for others by setting up a clear contradiction with the EU's privacy law. Such a U.S. law would result in many domain registrars making the WHOIS data publicly available rather than capitulating to the threat of European fines. Once ICANN sees that companies are operating under two WHOIS policies — an unsustainable situation — it will force them to revisit the policy. The U.S. government should then work with key allies, such as Japan, to pressure the EU to limit the scope of the GDPR so it does not continue to undermine the multi-stakeholder framework that is the foundation of Internet governance.

By Daniel Castro, VP at Information Technology and Innovation Foundation – Daniel Castro is vice president of the Information Technology and Innovation Foundation, the leading think tank for science and technology policy, and director of the Center for Data Innovation. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Another data hog? By Volker Greimann  –  Dec 20, 2019 10:04 am PDT

I am afraid I do not follow your arguments at all.

How is protecting the personal, private information of our customers a bad thing? Are you saying that US congres should take a stand against basic human rights of each and every human being to the privacy of their personal information?

The EPDP is a group working within ICANN to find a middle way between the much abused free-for-all data privacy nightmare that was called WHOIS and the full redaction with an uncertain disclosure regime that is the current status quo. ICANN is finally working to innovate and adapt to the modern world and the basic rights of its customers.

No US law can force us - a European data processor - to go back to the WHOIS of old and expose the data of our customers willy-nilly to any spammer, faker, phisher and other criminal that wants them. If, on the other hand, US congress were to do the sensible thing (that has been the law in Europe for decades) and implement an obligation to accurately present your data on your commercial web pages and in your commercial emails, that would be another thing entirely…

And security firms can use other means to do their work. It is not like the criminals abusing their registrations use their real names, after all.

Stop crying for the protocols of old, innovate and adapt.

Facebook By Volker Greimann  –  Dec 20, 2019 10:06 am PDT

And since you quoted Facebook as a model that used whois (and keeps demanding its return), where is their public database with the real and accurate data of their users and advertisers? It sure would be helpful to see who is spreading that piece of hate speech and fake news ....

Finally, calling bullshit. By Volker Greimann  –  Dec 20, 2019 10:08 am PDT

You do realize you are blatantly misrepresenting the truth when you state: "some domain registrars have started violating their contracts with ICANN by no longer collecting the required WHOIS information".
Collection was never the issue, publication was. I am not aware of any registrars that stopped collecting registrant data.

According to ICANN: "EPAG [a Germany-based, ICANN-accredited By Daniel Castro  –  Dec 20, 2019 2:57 pm PDT

According to ICANN: "EPAG [a Germany-based, ICANN-accredited registrar that is part of the Tucows Group] recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules. ICANN requires that information to be collected, via its contract with EPAG which authorizes it to sell generic top-level domain name registrations."

https://www.icann.org/news/announcement-2018-05-25-en

Admin and Tech data is not registrant data By Volker Greimann  –  Dec 23, 2019 2:33 am PDT

I fail to see how your responde invalidates my point. _Registrant data_ was continued to be collected even in those cases, only data that was mainly duplicate data or data of a third party the registrar had no contractual relationship with was announced to be stopped from further collection.

Data protection is good for you. Embrace it instead of fighting it.

You questioned the accuracy of what I By Daniel Castro  –  Dec 23, 2019 5:08 am PDT

You questioned the accuracy of what I wrote, so I provided further information to back up the point I made. You also made an additional comment, which is irrelevant to the point I made.

Moreover, the question is not whether data protection is good or bad, but who gets to pick those rules. I'm always amazed that some Europeans will wax on about data protection being a fundamental human right, but then fail to embrace democratic self-governance. I would hope that countries with a history of imperialism would teach their citizens to be more sensitive to these issues.

It's always interesting to watch the European By David Goldstein  –  Dec 21, 2019 6:21 am PDT

It's always interesting to watch the European v American battle over issues such as privacy. European nations value privacy for their citizens whereas Americans have little regard for it. When it comes to the GDPR, from what I've observed those businesses that have adapted have benefited from it. Volker is right.

That's too much of a caricature to By Daniel Castro  –  Dec 23, 2019 5:22 am PDT

That's too much of a caricature to say Europeans value privacy and Americans don't — the ground truth is more complicated.

And the evidence for GDPR is quite poor so far, unless you just mean big tech firms, in which case, I agree they may ultimately benefit from it by facing less competition in the future.

https://www.techdirt.com/articles/20190521/17425842255/one-year-into-gdpr-can-we-declare-it-total-failure-yet.shtml

https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-costs-and-unintended-consequences/

https://www.datainnovation.org/2019/06/what-the-evidence-shows-about-the-impact-of-the-gdpr-after-one-year/

You do need to read more widely. By David Goldstein  –  Dec 24, 2019 6:22 am PDT

You do need to read more widely. And yes, it is true, Europeans DO value privacy more than Americans. It's something that's been obvious for years. It's why the GDPR came in. Europeans cared, Americans don't.

WHOIS was our roster By Karl Auerbach  –  Dec 31, 2019 3:20 pm PDT

Your note makes a comment that WHOIS started in order to keep track of people with domain name.  That was not the case.

Rather, the WHOIS list started well before there was a domain name system at all.  There was a thing called the ARPAnet handbook and later the ARPAnet managers handbook.  I was in those even though I had no host names, much less any not-yet-existing domain names.

These were essentially rosters - like a list of members in a club - of those of us engaged in research, development, and operations on the nascent network.

There was nothing mandatory or necessary about being listed.  There was no waving of hands or rending of garments that being listed was necessary for stability of the net.  Those reasons were created post hoc - I never heard those kinds of arguments about the need to be listed until well more than decade later.

How dare you cite facts!! You're By Michele Neylon  –  Jan 02, 2020 6:08 am PDT

How dare you cite facts!!  You're interfering with the hyperbolic hysteria!

Add Your Comments

 To post your comments, please login or create an account.

Related

Topics

Domain Names

Sponsored byVerisign

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

IP Addressing

Sponsored byIPv4.Global

Brand Protection

Sponsored byAppdetex

Cybersecurity

Sponsored byVerisign